Another mystery bot example

Here’s another example of bizarre hits. Two hits for this six-year-old page coming in within 30 minutes of each other:

138.162.8.57 – – [15/Oct/2009:12:12:16 -0400] “GET /2003/07/28/blimps-and-other-things-bizarre/ HTTP/1.1” 200 5094 “-” “Mozilla/4.0 (compatible;)”

[snip]

138.163.106.72 – – [15/Oct/2009:12:44:33 -0400] “GET /2003/07/28/blimps-and-other-things-bizarre/ HTTP/1.1” 200 5094 “-” “Mozilla/4.0 (compatible;)”

The first resolves to gate2-jacksonville.nmci.navy.mil and the second resolves to gate2-bremerton.nmci.navy.mil. It looks like there’s a full-scale botnet attack going on behind the DoD firewalls right now.

Big names in sources of suspicious traffic

Wow. I knew there were some heavy hitters involved in the mysterious web traffic I’ve been seeing, but I had no idea of the scope of the web visitors. Check out this list:

figment22.gs.com
stl-proxy-07.boeing.com
cache4.nccr.epa.gov
proxyAladdin.meteo.fr
gate1-norfolk.nmci.navy.mil
gate3-norfolk.nmci.navy.mil
gate4-norfolk.nmci.navy.mil
gate6-norfolk.nmci.navy.mil
Continue reading →

More clues in the government botnet mystery

The plot thickens in the government botnet mystery I recently wrote about. This morning I got hits from the Navy-Marine Corps-Internet, specifically a host identified as gate3-norfolk.nmci.navy.mil:

Again, it started off innocently with a Google search, with the browser properly identified:

138.162.0.41 – – [15/Oct/2009:08:36:27 -0400] “GET /2008/12/19/beware-the-police-protective-fund/ HTTP/1.1” 200 6377 “http://www.google.com/search?hl=en&source=hp&q=police+protective+fund&aq=f&oq=&aqi=g10” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)”

A few more hits down, I see the random jumping around I’d seen before:

138.162.0.41 – – [15/Oct/2009:08:36:30 -0400] “GET /2008/12/20/a-mange-in-a-wager/ HTTP/1.1” 200 4191 “-” “Mozilla/4.0 (compatible;)”
138.162.0.42 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/29/goodbye-bplog-hello-drupal/ HTTP/1.1” 200 14042 “-” “Mozilla/4.0 (compatible;)”
138.162.0.44 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/27/action-packed_weekend/ HTTP/1.1” 200 4371 “-” “Mozilla/4.0 (compatible;)”
138.162.0.43 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/24/keys_keys_keys/ HTTP/1.1” 200 5531 “-” “Mozilla/4.0 (compatible;)”
138.162.0.45 – – [15/Oct/2009:08:36:31 -0400] “GET /2008/12/18/progress/feed/ HTTP/1.1” 200 1973 “-” “Mozilla/4.0 (compatible;)”

My site is apparently being indexed by computers on a government-run network, but the question is exactly what is indexing it? Is this some sort of proxy technology that government gateways are now using, sampling websites that government users are viewing to ensure that these websites don’t have questionable content? Or, is this a botnet of compromised government computers as I recently suggested? Or (tinfoil hats, please), is this a secret spidering project run by a three-letter agency that uses the gateways of various government departments as cover?

The bottom line is these hits are inconsistent with a human browser. Beyond that I’m not sure what to make of them.

U.S. Government networks thoroughly penetrated

I saw this in my webserver logs today, from the U.S. Nuclear Regulatory Agency. Clearly it’s a botnet bot.

148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /wp-content/themes/mtdotnet
/images/kubrickfooter.jpg HTTP/1.1” 200 2443 “http://www.markturner.net/2009/10/01/michael-jordans-net-worth/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/10/02/oculan-in-the-news/feed/ HTTP/1.1” 200 797 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/10/02/u2-yesterday-and-today/ HTTP/1.1” 200 6617 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/09/30/juggling-breakthrough/feed/ HTTP/1.1” 200 2083 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/09/30/netflixs-plan-to-take-over-the-world/ HTTP/1.1” 200 6419 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:45 -0400] “GET /2009/10/02/u2-yesterday-and-today/feed/ HTTP/1.1” 200 1375 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:45 -0400] “GET /2003/07/27/action-packed-weekend/feed/ HTTP/1.1” 200 1260 “-” “Mozilla/4.0 (compatible;)”

Continue reading →

Botnet

It’s definitely a botnet I’m seeing. Since it has a common HTTP_USER_AGENT I have banned that agent. If you’re a human and you’re still using IE6, you’re out of luck, dude.

Unknown bot detected

This morning I was looking through the webserver logs for MT.Net when I noticed the following three successive hits from yesterday:

91.120.21.161 – – [24/Sep/2009:07:34:15 -0400] “GET /category/Checking%20In/ HTTP/1.1” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
24.77.243.153 – – [24/Sep/2009:07:34:17 -0400] “GET /category/Checking%20In/ HTTP/1.0” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
200.43.232.165 – – [24/Sep/2009:07:34:22 -0400] “GET /category/Checking%20In/ HTTP/1.0” 404 11629 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Highly suspicious, right? Three different IPs hit the same obscure link at the same time, all with identical browser strings?

Then there were these hits from this morning:

77.94.32.33 – – [25/Sep/2009:06:42:14 -0400] “GET /2009/09/22/ HTTP/1.0” 200 15894 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
77.94.32.33 – – [25/Sep/2009:06:42:27 -0400] “GET /2009/09/23/ HTTP/1.0” 200 17625 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
77.94.32.33 – – [25/Sep/2009:06:42:34 -0400] “GET /wp-login.php?action=register HTTP/1.0” 200 4141 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
190.175.0.151 – – [25/Sep/2009:06:43:09 -0400] “GET /wp-login.php?action=register HTTP/1.1” 200 4141 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Continue reading →

Unknown warranty call

I got this car warranty call yesterday from a unknown Caller ID. My efforts to reach a live human being were unsuccessful as I got disconnected when I pressed “0.”

Here’s a recording of the call in case others were interested to hear what these calls sound like. When I get time I’ll add the others I collect.

Spam bot figures out SABRE math test

It was bound to happen eventually. This morning a spam bot figured out the math test check that my SABRE plugin was using to filter human website visitors from spam bots. This happened on one of my less-frequented blogs, which actually helped me discover it as that particular blog doesn’t get many registrations.

Looks like now I’ll have to graduate my blog universe to the full-blown CAPTCHA tests if I want to keep the Russian spammers from crashing the MT.Net party.

Turning the tables on hackers

Every dark cloud has a silver lining, and the recent hacker attacks on MT.Net are no exception. Once I had safely reassembled the website and taken measures against active attacks, I realized what risk hackers run when they attempt remote code execution attacks like the one they ran on my site: they expose the location of their hacker code!

After repelling a couple of attacks per day, I got wise and began to contact the owners of the websites used to attack my site, politely letting them know their servers had been compromised. After doing this for five or so websites, the hacker attacks against my site all but dried up! Perhaps I hit a nerve?

It’s still usually not worth the trouble to track hackers back to their original IP addresses (or at least, not worth the trouble for anyone lacking search warrant power), but taking away a few of a hacker’s precious hideouts sends a message that messing with me comes at a cost.

Blogging and hackers

I found the Stop Forum Spam site this morning when watching l0ser bots try to register accounts on MT.Net. A Google search on an email address used by an obvious bot brought me to the site. There’s an API for automated rejection of these fake user accounts which I’m thinking of using to head off many of the hacker attacks I’ve seen. I’m thinking blocking attacks at the Apache level would be ideal.

On another note, it looks like my WordPress hack post has become very popular with both hackers and webmasters alike. Hackers frequently use its url for attempt cross-site scripting attacks against my machine, while webmasters point to it as one of the first public announcements of a critical WordPress vulnerability. Kudos again to MT.Net reader Scootdawg for being the first to see my blog wasn’t working!

On yet another note, I’m thinking of writing a screenplay where a lowly blogger disses the reclusive dictator of a backwards Asian country and becomes an unwilling “guest” of the dictator for a bizarre weekend.